1/6: I hope @SenKatyG and @VictorDominello understand that the current "Trusted Digital Identity Framework" requires Identity Exchanges to store somewhat-obfuscated identity document numbers on an internet-facing server.

https://twitter.com/tqft9999/status/1577138185339301889

2/6: If it isn't immediately obvious why this is a bad idea (and one would hope that by now it might be at least a little bit obvious), please read @bgf_nz 's master's thesis: bfrengley.github.io/thesis.pdf
"How trustworthy is the Trusted Digital Identity Framework?"

1/7: @NSWElectoralCom statement on today's Internet voting meltdown.

elections.nsw.gov.au/About-us/Media…
It says disenfranchised voters won't be fined, but doesn't say whether the election results are expected to stand.

More than 650,000 votes were received, which may be a world record. 2/7: Apologises to voters not able to vote as a result of the outage; no apology to candidates who may or may not have failed to get elected as a consequence of their supporters being excluded.

1/11: If you haven't read the (Aus) Critical Infrastructure Bill because (like me) you foolishly assumed it was about protecting critical infrastructure, now is ... probably too late.
aph.gov.au/Parliamentary_…
So here's a short summary of the "protections" you can't refuse #Auspol 2/11: Everyone agrees that the threat of cyberattack is serious, the results could be devastating, and Australia is woefully unprepared.

The question is whether forced "assistance" from @ASDGovAu and Home Affairs will make us more or less safe & secure.

1/4: When I installed the service Vic app on June 4 (when it became compulsory) the splash screen told me "Your personal details always stay on your phone," which is not true: your check-in details are uploaded to a central database immediately when you check in. #Vicpol @OVIC_AU

https://twitter.com/theage/status/1407088544422760454

2/4: Now (surprise, surprise!) we're debating further access to that database, which never had to be built in the first place. Aotearoa/NZ and the UK have 'automated diary'-style apps in which your check-in data does stay on your phone, with notification to the affected person.

1/5: Remember how @ElectionsACT didn't need to make their source code openly available for public scrutiny because it was going through an "audit and certification process"?

They published the votes on Friday and it is immediately evident that the counting code has bugs.
#ACTpol 2/5: Andrew Conway implemented the count & found notable discrepancies with the official tallies - more than 20 votes in some cases. Our report is at github.com/SiliconEconome…

None of these bugs change the winners. They could have, but this year - by sheer good luck - they didn't.

1/11: A comparison on the state of CovidApp transparency in Aus, the UK and Singapore.

Singapore released app and server code weeks ago.

Aus & the UK released app code, and no server code, within the last 24 hours.

#CovidSafeApp @chrisculnane @rgmerk @noneuclideangrl @1Br0wn 2/11: Singapore & the UK have released whitepapers explaining their crypto and assumptions. The UK's is by @NCSC's Ian Levy: ncsc.gov.uk/files/NHS-app-…
In both cases, there are some things I disagree with, but I respect the authors for putting the details out for review.

1/11: Why there are there two almost-opposite technical threads here, one saying "#covidsafeapp gathers so much LESS data than anything else on your phone," and another saying "this app gathers info that no other app on your phone collects"? The answer is that they're both true. 2/11: It's true that #covidsafepp doesn't do any of the usual nasties, e.g. GPS tracking or microphone surveillance. However, it builds an infrastructure for gathering a completely new kind of mass data: fine-grained detail about who was how close to whom, when.

1/7: Hang on a minute, I have misunderstood something important. In my blog post I wrote of Tracetogether "Whenever you're within Bluetooth range of a person, you send them your ID, encrypted with the public key of the Singaporean authorities."
Is that what everyone else thought? 2/7: But their whitepaper actually says: "TempIDs are cryp-tographically generated by the backend service."
bluetrace.io/static/bluetra…
Those encrypted IDs you send out all the time are AES encryptions, generated for you by a central server, using a key you don't know.

1/6: OK, let's think of a list of specific questions - I'll start with whether "What is being proposed is no different than our existing health surveillance system." In our current system, a health official asks an infected person for a list of people & places they've been near.

https://twitter.com/johncoyne14/status/1250563572096102400

2/6: Some obvious differences:
- When relying on human memory, you might forget. Automation should be better.
- When relying on human memory, you can choose to omit certain people or places. Will Australia's app have that option, or will it be all-or-nothing?
#covid19australia

Analysis with @SarahJamieLewis and Olivier Pereira of the SwissPost-Scytl e-voting system. people.eng.unimelb.edu.au/vjteague/Swiss… The code uses a trapdoor commitment scheme, so it is possible for an authority to provide a proof of a correct election outcome while actually manipulating votes. This is exactly what verifiability is meant to prevent. They say they have now fixed it, but without an open public process for examining the code, we can't be sure whether other similar issues remain, or whether other Internet voting systems such as NSW iVote are also affected.